Who is responsible for complying with privacy regulations?
Processing responsibility
The GDPR uses the terms controller in Article 4(7), processor in Article 4(8) and joint controllers in Article 26 to allocate responsibility for complying with the regulations. The accountability principle indicates that the main responsibility for ensuring that the processing of personal data is in accordance with GDPR rests with the controller.
A controller is the person who determines the purposes and means of the processing of personal data, while a processor processes personal data on behalf of the controller. Joint processing responsibility occurs where the parties jointly determine the purposes and means of the processing of personal data.
Assessments of the various roles in the usage phase
A question that emerged early on in the sandbox project was how responsibility should be divided between Secure Practice and their clients. The background to the question was that Secure Practice themselves entered the project with a desire to avoid the client (i.e. the employer) gaining access to individual risk profiles of employees, as a privacy measure to safeguard employees. Secure Practice was nevertheless in doubt about whether it was possible to guarantee this in practice, even if they could implement technical measures in the solution to prevent the client from gaining access to such data.
In other services, Secure Practice has examined its own role as a processor and drawn up ordinary data processing agreements with the client. The client will then be the data controller and decides how the personal data is going to be used. In its role as a processor, Secure Practice is obliged to disclose all personal data the client wants to gain access to. An inherent risk of such a division of responsibility in the new service is that Secure Practice cannot decline to disclose personal data on individual employees to the employers, even in the event of suspicion that the data will be used for other purposes (for example to influence salary levels or bonus payments).
In collaboration with Secure Practice, the Norwegian Data Protection Authority researched the consequences of various divisions of responsibility, and an alternative solution involving joint processing responsibility was suggested. Secure Practice wishes to withhold personal data from their clients. By withholding data from their clients they have a crucial influence on the processing of this personal data which extends beyond their role as processor. This means that Secure Practice and the client jointly determines the purposes and means of the processing of the employees’ personal data.
In its guidelines, the European Data Protection Board refers to a distinction between “essential” and “non-essential” means. Section 40 of the guidelines links “essential” means to the choices that are transferred to the data controller. As stated in the guidelines there is a close connection between what constitutes “essential means” and the issue of whether the processing is legal, necessary and proportionate. “Non-essential” means are linked to practical implementation, for example security measures.
To minimise the employer’s access to the employee’s personal data can be seen as a means to reducing privacy disadvantages. In the assessment of the legal basis and therefore of whether or not the tool is legal, the privacy disadvantages are relevant, see point 4.2 below.
European Court of Justice case law shows that parties can become joint data controllers, even if the processing of personal data is not evenly divided between the parties or the client does not have access to the personal data that is being processed. This might be the case where the service processes the personal data for its own purposes, and this processing can be carried out only because the client facilitates such processing by choosing the service.
According to the way the service is outlined in the sandbox project, Secure Practice’s processing of personal data will only be possible because the client uses the service. Secure Practice processes this personal data by preventing personal data on each individual employee from being disclosed to the client. Withholding personal data from the client accordingly creates a joint processing responsibility between Secure Practice and their clients.
An European Court of Justice case
The European Court of Justice has argued that concurrent interests argue for joint processing responsibility in the Judgment of 29 July 2019, Fashion ID C-40/17, section 80:
"As to the purposes of those operations involving the processing of personal data, it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity of its goods by making them more visible on the social network Facebook when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods; those processing operations are performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID."
(Our underlining).
The purpose of organising the processing with joint processing responsibility is to ensure that the division of responsibility reflects the actual role that Secure Practice undertakes in the individual processing situations. This means that there is no change in the processes where Secure Practice actually acts as a processor and processes personal data on behalf of the client. However, where the processing is not exclusively done on behalf of the client, the GDPR requires the parties to identify this.
Secure Practice and the individual client must map the processes where they jointly determine the purposes and means of the processing so that they determine responsibility among themselves in a transparent manner. A transparent determination of responsibility between Secure Practice and their clients is intended to prevent the diffusion of responsibility between the companies when employees seek to exercise their rights under GDPR.
The allocation of responsibility can take place through a contract or other document between the client and Secure Practice. Regardless of how this is arranged between Secure Practice and the client it must be communicated outwardly so that employees are aware of how they can request access to their personal data and exercise their rights in accordance with GDPR.
Artificial intelligence in three phases
We often divide artificial intelligence into three phases: development, usage and learning. The question of data protection arises in all phases.
The development phase: Machine learning is sometimes used to gain insight into large data quantities, insight that can in turn be used to develop new solutions. For example, Secure Practice has carried out an analysis of emails to find out what characteristics are particularly present in suspicious emails. These findings could then be turned into artificial intelligence to detect harmful emails, through specific patterns that developers incorporate into the software.
Usage phase: Machine learning can also be used to discover new connections in real time, without humans needing to be involved in the process. In other words, the degree of automation here will be high, unlike the development phase, although it may otherwise be very similar. Secure Practice already uses machine learning in real time in its MailRisk service, without humans being involved, to identify and classify hitherto unseen scams and cyber-attacks that spam filters have been unable to stop.
Learning phase: This is more similar to the development phase, but generally with more data available, particularly data on the results after the system has done its job. Learning can be crucial for verifying or improving correctness in a machine learning model. This applies in particular to conditions that change over time, such as fraud methods used in malicious emails. Learning is also relevant for complex conditions, such as safety attitudes among the company's employees.
Secure Practice has not used personal data in the development phase of the service to which the project applies. It has therefore been decided to focus this project on the usage phase which illustrates the specific challenges in the workplace most clearly. We have also briefly discussed learning at various points, to illustrate that machine learning is a continuous process.
Assessments of the various roles in the learning phase
The use of personal data for learning to improve one’s own products is, unlike the other processing, primarily of interest to Secure Practice, although their customers may also benefit from the results of such learning.
Secure Practice determines the purposes and means of this processing. The learning could therefore not be carried out without the personal data used in the service.
To ensure that Secure Practice has the sole processing responsibility for the learning phase, controls should be established in the user interface so that the client can prevent the use of personal data for this purpose. This separation ensures that there is no lack of clarity about when Secure Practice is acting as a controller and when the company is acting as a data processor. Furthermore, the information on the processing should be clearly presented to clients who wish to use this functionality.